HIPAA Compliance Checklist for Small Practices 2026

Why Small Practices Face the Same HIPAA Exposure as Large Health Systems

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS) does not scale its enforcement expectations based on practice size. A solo family medicine physician and a 500-bed hospital are held to identical standards under the HIPAA Security Rule — and OCR's 2024 enforcement record makes that unmistakably clear. This HIPAA compliance checklist for small practices is designed to close the gap between what the regulation demands and what most small clinics, dental offices, and mental health practices have actually implemented.

Small practices frequently assume that limited patient volume reduces their breach risk or enforcement exposure. Neither assumption holds. Threat actors specifically target small healthcare providers because they tend to operate with weaker security controls, older infrastructure, and minimal IT staff. Meanwhile, the HHS breach portal logged 725 large breaches — each affecting 500 or more individuals — in 2023 alone, with independent practices and specialty clinics representing a significant share of those filings.

Working through this checklist section by section will help you document your current posture, identify gaps, and build a remediation roadmap that satisfies OCR's required and addressable implementation specifications under 45 C.F.R. Part 164. Pair it with structured cyber risk management to turn your findings into a defensible compliance program.

Section 1: Administrative Safeguards

Administrative safeguards account for the largest portion of the HIPAA Security Rule's required and addressable implementation specifications. They are also the most frequently cited area in OCR investigations because they demand written policies, documented training, and ongoing governance — all things small practices tend to handle informally or skip entirely.

Security Management Process (§164.308(a)(1))

Every covered entity must conduct a thorough risk analysis — an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all electronic Protected Health Information (ePHI) your organization creates, receives, maintains, or transmits. This is not a one-time project. OCR expects periodic reviews and a documented risk management plan that tracks how identified risks are being reduced to a reasonable and appropriate level.

Your administrative checklist for this specification should confirm:

• A written risk analysis exists and was completed or reviewed within the past 12 months
• A risk management plan documents controls implemented to address each identified risk
• A sanctions policy is in writing and applied consistently to workforce members who violate HIPAA policies
• Information system activity is reviewed on a defined schedule through audit log analysis

Designated Security Official (§164.308(a)(2))

The regulation requires one individual — not a committee and not a vendor — to be formally designated as your Security Official, responsible for developing and implementing your HIPAA security policies. For small practices, this is often the practice owner or office manager. What matters is that the designation is documented and the person understands their responsibilities. Pairing that individual with a qualified managed security services provider is a practical model for practices that cannot staff a dedicated security role.

Workforce Training and Access Management (§164.308(a)(3) and §164.308(a)(4))

All workforce members who interact with ePHI — including front desk staff, billing personnel, and clinical assistants — must receive security awareness training. The training must be documented, role-appropriate, and repeated when significant operational or threat environment changes occur. Access authorization procedures must ensure that each user accesses only the ePHI necessary for their job function, consistent with HIPAA's minimum necessary standard. Generic annual video modules rarely satisfy OCR's expectation of meaningful, ongoing security education.

Contingency Planning (§164.308(a)(7))

Your practice must have a documented contingency plan covering data backup, disaster recovery, emergency mode operations, and procedures for testing and revising those plans. Ransomware incidents — which routinely render ePHI inaccessible — have elevated this requirement from a formality to an operational necessity. See our guidance on building a cybersecurity incident response plan for a documentation framework that integrates with HIPAA contingency requirements.

Section 2: Physical Safeguards

Physical safeguards govern how your practice controls physical access to systems and media containing ePHI. OCR investigators consistently find violations in this area because small practices focus on digital security while overlooking the physical controls the regulation explicitly requires.

Facility Access Controls (§164.310(a)(1))

Your practice must implement policies and procedures to limit physical access to electronic information systems — and the facilities where they are housed — to authorized users only. For a typical small practice this means:

• Locked server rooms or equipment closets with access logs maintained for all entries
• Visitor access policies that require sign-in and escort procedures in areas where ePHI is accessible
• A documented process for revoking access badges and credentials when a workforce member departs

Workstation Use and Security (§164.310(b) and §164.310(c))

Every workstation that accesses ePHI must have a documented acceptable use policy defining how that workstation may be used and the physical safeguards surrounding it. Screens that display ePHI must not be visible to unauthorized individuals. In practice, this means screen privacy filters at check-in workstations in patient-facing areas and automatic lock timers configured to 15 minutes or fewer. These are low-cost controls that eliminate a significant category of incidental disclosure.

Device and Media Controls (§164.310(d)(1))

Before any hardware is retired, donated, or transferred, you must document a process for sanitizing it — overwriting storage media or destroying it physically. This specification also requires tracking which hardware and media contain ePHI and maintaining an inventory. A missing workstation or a stolen laptop is a reportable breach if the device held unencrypted ePHI. Encrypting all endpoints removes the breach notification obligation for stolen devices — making encryption one of the highest-return controls available to small practices. For network-level hardening guidance that complements physical controls, see our business network security guide.

Section 3: Technical Safeguards (45 C.F.R. §164.312)

The HIPAA Security Rule's technical safeguards define the technology-side controls you must implement to protect ePHI at rest and in transit. Unlike the administrative and physical requirements, technical safeguards map directly to specific software configurations, infrastructure decisions, and access control mechanisms that your IT environment must enforce.

Access Controls (§164.312(a)(1))

You must implement technical policies and procedures allowing only authorized persons to access ePHI. The four implementation specifications under this standard include:

• Unique user identification (Required): Assign each user a unique name or number for tracking system activity. Shared login credentials are a direct violation of this requirement and among the easiest gaps for OCR to identify in audit logs.
• Emergency access procedure (Required): Establish a process for obtaining ePHI during an emergency when normal access controls are unavailable — for example, during a ransomware incident or system outage.
• Automatic logoff (Addressable): Implement electronic procedures that terminate a session after a defined period of inactivity. Configure this at 10–15 minutes on all ePHI-accessing systems.
• Encryption and decryption (Addressable): Implement a mechanism to encrypt and decrypt ePHI. While classified as addressable, OCR consistently expects encryption to be deployed or a clearly documented rationale for why it is not.

Audit Controls (§164.312(b))

Audit controls carry no addressable alternative — you must implement hardware, software, and procedural mechanisms to record and examine activity in systems that contain ePHI. Your Electronic Health Record (EHR) system must generate access logs, those logs must be retained for a minimum of six years, and someone at your practice must review them on a defined schedule. Anomalous access patterns — a staff member pulling records outside their care team, or access from an unrecognized IP address — should trigger investigation. Our threat hunting guide covers methodologies for identifying anomalous activity in log data that apply directly to ePHI system monitoring.

Integrity Controls and Transmission Security (§164.312(c) and §164.312(e))

Integrity controls require that ePHI is not improperly altered or destroyed. Transmission security requires that ePHI sent over electronic communications networks is protected against unauthorized access. Any transmission of ePHI over public or untrusted networks — including email and patient portal communications — must use encryption. Transport Layer Security (TLS) 1.2 or higher is the accepted standard for data in transit, and most modern EHR and email platforms support it by default. Verify that your configurations enforce TLS rather than permitting downgrade to unencrypted connections. NIST SP 800-66 Rev. 2 provides detailed implementation guidance for applying the Security Rule's technical safeguards across common healthcare IT environments.

For a detailed look at vulnerability assessment methods that validate your technical controls, review our asset management and security assessment guide.

Section 4: Business Associate Agreements

Any vendor, contractor, or service provider that creates, receives, maintains, or transmits ePHI on your behalf is a Business Associate (BA) under HIPAA. Before sharing any patient data with a BA, you must execute a written Business Associate Agreement (BAA) that contractually obligates them to protect ePHI and comply with applicable HIPAA provisions. This is a required specification — there is no workaround.

Small practices frequently miss BAAs with vendors they do not immediately associate with healthcare data. The following relationships commonly require a signed BAA:

• Cloud-based EHR and practice management software vendors
• Medical billing and revenue cycle management companies
• IT service providers and managed security partners with access to systems containing ePHI
• Medical transcription and dictation services
• Off-site records storage and document shredding companies
• Answering services that handle patient communications
• Cloud backup providers storing ePHI

A valid BAA must contain specific elements: a description of permitted uses and disclosures of ePHI, obligations to report breaches within 60 days of discovery, requirements to safeguard ePHI in accordance with the Security Rule, and provisions for returning or destroying ePHI upon contract termination. Executing a BAA does not transfer your compliance obligations — if your vendor suffers a breach attributable in part to your failure to vet their security posture, OCR can investigate both parties.

Vet prospective BAs by requesting their most recent SOC 2 Type II report or ISO 27001:2022 certification before executing an agreement. These attestations confirm that an independent auditor has evaluated the vendor's security controls against a recognized standard. Do not accept a vendor's self-assessment as a substitute for third-party validation.

Section 5: Breach Notification and Civil Monetary Penalties

The HIPAA Breach Notification Rule (45 C.F.R. Part 164, Subpart D) requires covered entities to notify affected individuals, HHS, and in some cases prominent media outlets following a breach of unsecured ePHI. The notification timelines are strict and carry significant financial exposure for non-compliance.

Notification Timeline Requirements

Individual notification must occur within 60 days of discovering a breach. If the breach affects 500 or more individuals in a single state, you must also notify prominent media outlets in that state within the same 60-day window. Breaches affecting 500 or more individuals must be reported to HHS simultaneously with individual notification; smaller breaches may be compiled into an annual log submitted to HHS within 60 days of the calendar year's end.

Documenting the breach discovery date is operationally essential — the 60-day clock starts when the breach is known or reasonably should have been known, not when your investigation concludes. Delaying a formal discovery determination to extend the investigation window is a compliance risk, not a legal strategy.

Civil Monetary Penalty Structure

The most effective way to position your practice in the lowest possible penalty tier — should an incident occur — is to demonstrate a documented, good-faith compliance program maintained before the breach event. That means your risk analysis, policies, training records, and BAAs are in order before OCR comes knocking, not after. A documented cybersecurity incident response plan is a key component of that posture, providing the framework to make breach-or-not determinations quickly and accurately.

Consolidated HIPAA Compliance Checklist for Small Practices

Use the following reference to track your practice's status across all three safeguard categories. Each item maps to a specific Security Rule citation. This HIPAA compliance checklist for small practices is a self-assessment starting point — not a substitute for a formal risk analysis or legal review. For verification of your technical controls through active testing, see our penetration testing guide.

Administrative Safeguards Checklist

• ☐ Written risk analysis completed or reviewed within the past 12 months
• ☐ Risk management plan in place with documented remediation tracking
• ☐ Security Official formally designated and documented in writing
• ☐ Sanctions policy written and acknowledged by all workforce members
• ☐ System activity review schedule established with documented log reviews
• ☐ Workforce access authorization procedures documented by role
• ☐ Security awareness training completed by all staff; completion records retained
• ☐ Contingency plan covering backup, disaster recovery, and emergency mode operations documented and tested

Physical Safeguards Checklist

• ☐ Facility access control policies documented; server and equipment rooms locked with access logs
• ☐ Visitor access policy in place for areas where ePHI is accessible
• ☐ Workstation acceptable use policies in place for all ePHI-accessing workstations
• ☐ Screen privacy filters installed at check-in and patient-facing workstations
• ☐ Media disposal policy documented; hardware sanitized or destroyed before retirement
• ☐ Hardware and media inventory maintained with ePHI location tracking

Technical Safeguards Checklist

• ☐ Unique user IDs assigned; shared credentials prohibited on all ePHI systems
• ☐ Multi-Factor Authentication (MFA) enabled on EHR, email, and remote access systems
• ☐ Automatic session timeout configured at 15 minutes or fewer
• ☐ Full-disk encryption enabled on all workstations, laptops, and mobile devices
• ☐ TLS 1.2 or higher enforced for all ePHI transmitted over networks
• ☐ EHR audit logs enabled, retained for six years, and reviewed on a defined schedule
• ☐ Emergency access procedure documented and tested
• ☐ Encrypted backup solution in place with a tested, documented restoration process

Business Associate Management Checklist

• ☐ Complete BA inventory maintained with BAA execution and renewal dates
• ☐ All BAs with ePHI access have signed, HIPAA-compliant BAAs on file
• ☐ BA security posture vetted via SOC 2 Type II report or ISO 27001:2022 certification
• ☐ BAAs reviewed whenever vendor contracts are renewed or amended